After upgrade from 3.11* to 3.12.6-r[12] kernels I've noticed warning messages during shutdown (yes, with an empty binary name!): "grsec: denied exec of usermode helper binary located outside of /sbin and system library paths" I'm using systemd + dracut and systemd switches back to initramfs during shutdown [1]. Warnings are printed right after the switch. This comes from the following code (kernel/kmod.c): #ifdef CONFIG_GRKERNSEC /* this is race-free as far as userland is concerned as we copied out the path to be used prior to this point and are now operating on that copy */ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) && strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7)) || strstr(sub_info->path, "..")) { printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of /sbin and system library paths\n", sub_info->path); retval = -EPERM; goto fail; } #endif [1] http://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/
Confirmed with hardened-sources-3.13.5 and systemd-208-r2, without dracut.
spender may want to relax those paths for systemd. If not, it would be easy to create a patch. What paths would need to be allowed?
sub_info->path is empty according to the messages.
This has already been fixed in newer patches.
Indeed. I'm using 3.14.18-r1 now and don't see these messages.
